Question: I have a custom decoder/rule which I believe should lead to an 
active response


My alert logs show:

OSSEC - TS:"1474385165", RID: "100504", RL: "5", RG: 
"openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER: 
"barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0", 
LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:26:04 
2016 us=815044 100.99.88.77:37778 CRL CHECK FAILED: C=US, ST=PA, 
L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key, 
name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]" 
OSSEC - TS:"1474385171", RID: "100504", RL: "5", RG: 
"openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER: 
"barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0", 
LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:26:10 
2016 us=65544 100.99.88.77:62693 CRL CHECK FAILED: C=US, ST=PA, 
L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key, 
name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]" 
OSSEC - TS:"1474385203", RID: "100504", RL: "5", RG: 
"openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER: 
"barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0", 
LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:26:42 
2016 us=65834 100.99.88.77:28569 CRL CHECK FAILED: C=US, ST=PA, 
L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key, 
name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]" 
OSSEC - TS:"1474385211", RID: "100504", RL: "5", RG: 
"openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER: 
"barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0", 
LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:26:50 
2016 us=806194 100.99.88.77:59297 CRL CHECK FAILED: C=US, ST=PA, 
L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key, 
name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]" 
OSSEC - TS:"1474385440", RID: "100504", RL: "5", RG: 
"openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER: 
"barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0", 
LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:30:38 
2016 us=310533 100.99.88.77:25104 CRL CHECK FAILED: C=US, ST=PA, 
L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key, 
name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]" 
OSSEC - TS:"1474385448", RID: "100504", RL: "5", RG: 
"openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER: 
"barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0", 
LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:30:46 
2016 us=987802 100.99.88.77:4767 CRL CHECK FAILED: C=US, ST=PA, 
L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key, 
name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]" 
OSSEC - TS:"1474385454", RID: "100504", RL: "5", RG: 
"openvpn,authentication_failed,", RC: "Revoked Certificate Usage.", USER: 
"barret_revoke_key", SRCIP: "100.99.88.77", HOSTNAME: "hostgateway-0", 
LOCATION: "/var/log/openvpn/openvpn.log", EVENT: "[INIT]Tue Sep 20 15:30:53 
2016 us=807904 100.99.88.77:10344 CRL CHECK FAILED: C=US, ST=PA, 
L=Pittsburgh, O=bossa_nova_robotics, OU=Software, CN=barret_revoke_key, 
name=EasyRSA, emailAddress=m...@email.com is REVOKED[END]" 


I have a set of rules like the below snippet shows

custom_rules.xml snippet

<rule id="100504" level="5">
    <if_sid>100500</if_sid>
    <match>CRL CHECK FAILED</match>
    <description>Revoked Certificate Usage.</description>
    <group>authentication_failed,</group>
</rule>

<rule id="100505" level="5">
    <if_sid>100500</if_sid>
    <match>TLS handshake failed</match>
    <description>TLS handshake failed</description>
    <group>authentication_failed,</group>
</rule>


<rule id="100506" level="10" frequency="3" timeframe="120"  ignore="90">
    <if_matched_sid>100504</if_matched_sid>
    <same_source_ip/>
    <description>Multiple Revoked CRL OpenVPN authentication 
failures.</description>
    <group>authentication_failures,</group>
</rule>


<rule id="100507" level="10" frequency="3" timeframe="120"  ignore="90">
    <if_matched_sid>100505</if_matched_sid>
    <same_source_ip/>
    <description>Multiple OpenVPN authentication failures.</description>
    <group>authentication_failures,</group>
</rule>

<rule id="100508" level="0">
    <if_sid>100500</if_sid>
    <match>error trying to bind as user|</match>
    <match>PLUGIN_AUTH_USER_PASS_VERIFY failed with status|</match>
    <match>Username/Password verification failed for peer|</match>
    <match>SIGUSR1[soft,tls-error] received, client-instance restarting</match>
    <description>OpenVPN message that is useless, redundant, or lacking 
context.</description>
</rule>




My expectation is that rule 100507 should match if 100504 matches 3 times 
within 2 minutes


I have active response enable in my ossec.conf but my active_response.log 
shows no activity 

Any advice?

Thanks

-barrett

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to